b' Audit of NARA\xe2\x80\x99s Internal\n    Control Program\n\n\nOIG Audit Report No. 10-19\n\n\n\n   September 29, 2010\n\x0cTable of Contents\n\n\nExecutive Summary ........................................................................................ 3\n\nBackground ..................................................................................................... 5\n\nObjectives, Scope, Methodology .................................................................... 6\n\nAudit Results................................................................................................... 7\n\nAppendix A \xe2\x80\x93 OIG Review of NARA\xe2\x80\x99s FY 2009 Statement of Assurance 11\n\nAppendix B \xe2\x80\x93 Acronyms and Abbreviations ................................................ 16\n\nAppendix C \xe2\x80\x93 Management\xe2\x80\x99s Response to the Report ................................. 17\n\nAppendix D \xe2\x80\x93 Report Distribution List ........................................................ 18\n\x0c                                                                     OIG Audit Report No. 10-19\n\n\nExecutive Summary\n\nThe National Archives and Records Administration (NARA) Office of Inspector General\n(OIG) performed an audit of NARA\xe2\x80\x99s Internal Control Program. Annually, the OIG\nperforms a review to ensure NARA managers continuously monitor and improve the\neffectiveness of internal controls associated with their programs. This continuous\nmonitoring, in conjunction with other periodic evaluations, provides the basis for the\nagency head\xe2\x80\x99s annual assessment of, and report on, internal controls as required by the\nFederal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA) of 1982 (Public Law 97-255).\n\nThe objectives of the audit were to (1) evaluate NARA\xe2\x80\x99s compliance with guidance\ncontained in FMFIA and the Office of Management and Budget\xe2\x80\x99s (OMB) Circular A-\n123, Management\xe2\x80\x99s Responsibility for Internal Control (the Circular), and the adequacy\nof the agency\xe2\x80\x99s assurance statement and (2) identify and evaluate the system of internal\ncontrols using the Government Accountability Office\xe2\x80\x99s (GAO), Standards for Internal\nControl in the Federal Government (the Standards), for assessing and evaluating internal\ncontrols. Specifically, we (1) examined management\xe2\x80\x99s responsibilities for internal\ncontrol in Federal agencies as outlined in the Circular, and (2) reviewed the status of open\nrecommendations made in prior year reports. Also, to facilitate the submission of\nNARA\xe2\x80\x99s annual assurance statement, we performed a preliminary review of the agency\nassurance statement in October 2009 (Appendix A).\n\nOur initial assessment of the agency\xe2\x80\x99s FY 2009 assurance statement, as conveyed in our\nOctober 20, 2009 memorandum (Appendix A), was NARA\xe2\x80\x99s statement underreported\nmaterial risk associated with Preservation and Processing programs and did not\naccurately reflect the breadth of risks in NARA\xe2\x80\x99s Information Security Program. This is\nthe same conclusion we reached and conveyed to the agency in our assessments of their\nFY 2007 and FY 2008 assurance statements.\n\nOur audit revealed at the end of the FMFIA reporting period, September 30, 2009,\nNARA did not fully comply with the requirements of the Circular as a formalized internal\ncontrol program did not exist. 1 Since then NARA has made progress, and should be\ncommended for establishing an implementation plan for a comprehensive internal control\nprogram. However, while the plan was established, much more remains to be done on\nthe internal control program. Also, management has not closed the open audit\nrecommendations from the last two years\xe2\x80\x99 audit reports. As a result of these conditions,\nNARA continues to exhibit weaknesses in internal controls first identified in FY 2007\nthat degrade the effectiveness of internal controls and the accuracy of office assurance\nstatements.\n\n\n\n\n1\n Although NARA is excluded from Appendix A of the Circular, the A-123 requirements in the Circular are\nfor all agencies and require management to develop and maintain effective internal controls.\n                                           Page 3\n                        National Archives and Records Administration\n\x0c                                                        OIG Audit Report No. 10-19\n\n\nWe are making two recommendations which we believe, once implemented, will address\nweaknesses cited in this review.\n\n\n\n\n                                      Page 4\n                   National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 10-19\n\n\nBackground\n\nThe Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA), Public Law 97-255, requires\neach agency to establish controls that reasonably ensure: (1) obligations and costs comply\nwith applicable law, (2) assets are safeguarded against waste, loss, unauthorized use or\nmisappropriation, and (3) revenues and expenditures are properly recorded and accounted\nfor. In addition, the agency head must annually evaluate and report on the systems of\ninternal accounting and administrative control.\n\nThe Office of Management and Budget (OMB) Circular A-123, Management\xe2\x80\x99s\nResponsibility for Internal Control (the Circular), defines management\xe2\x80\x99s responsibility\nfor internal control in Federal agencies. It provides guidance to Federal managers on\nimproving the accountability and effectiveness of Federal programs and operations by\nestablishing, assessing, correcting, and reporting on internal control. OMB revised the\nCircular in response to the Sarbanes-Oxley Act, effective in fiscal year 2006. This\nrevision strengthened the requirements for management\xe2\x80\x99s assessment of internal control\nover financial reporting. The new requirements apply only to the 24 Chief Financial\nOfficer Act agencies, thus exempting NARA from reporting pursuant to Section 4 of the\nFMFIA. However, NARA is still required to report on internal controls pursuant to\nSection 2 of FMFIA.\n\nNARA issued Directive 114, Management Controls, to help managers implement the\nrequirements of the Circular. NARA 114 defines responsibilities; defines the types of\nreviews that could be considered internal control assessments; identifies documentation\nthat must be maintained in support of an internal control evaluation, and; addresses the\ndevelopment and maintenance of management control plans. Among the responsibilities\ndefined by this guidance, Office Heads are required to identify and analyze risk, and the\nPolicy and Planning Staff (NPOL) are required to provide oversight, guidance, and\nassistance to NARA offices concerning implementation of the NARA internal control\nprogram.\n\nAssurance statements and information relating to FMFIA Section 2, Section 4 (from\nwhich NARA is exempt), and internal control over financial reporting should be provided\nin a single FMFIA report section of the annual Performance and Accountability Report\n(PAR) labeled \xe2\x80\x9cManagement Assurances.\xe2\x80\x9d The section should include the annual\nassurance statement, summary of material weaknesses and non-conformances, and\nsummary of corrective action plans. Furthermore, FMFIA requires the Archivist to\nannually submit to the President and Congress (1) a statement on whether there is\nreasonable assurance that the agency\xe2\x80\x99s controls are achieving their intended objectives,\nand (2) a report on material weaknesses in the agency\xe2\x80\x99s controls. 2\n\n\n2\n  NARA publishes the assurance statement in the annual PAR and no longer sends a separate statement to\nthe President and Congress.\n                                           Page 5\n                        National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 10-19\n\n\nObjectives, Scope, Methodology\n\nThe objectives of the audit were to (1) evaluate NARA\xe2\x80\x99s compliance with guidance\ncontained in FMFIA and OMB A-123 and the adequacy of the agency\xe2\x80\x99s assurance\nstatement and (2) identify and evaluate the system of internal controls using GAO\nguidance for assessing and evaluating internal controls. Specifically, we (1) examined\nmanagement\xe2\x80\x99s responsibilities for internal control in Federal agencies as outlined in the\nCircular, and (2) reviewed the status of open recommendations made in prior year\nreports. Also, to facilitate the submission of NARA\xe2\x80\x99s annual assurance statement, we\nperformed a preliminary review of the agency assurance statement in October 2009\n(Appendix A).\n\nThis audit was conducted in accordance with generally accepted government auditing\nstandards between September 2009 and September 2010. These standards require we\nplan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\n                                        Page 6\n                     National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 10-19\n\n\nAudit Results\n\n1. Lack of a formal internal control program.\nOur review revealed NARA has not fully complied with the requirements of the Circular\nas there was no formalized internal control program. This condition exists because\nmanagement has in the past focused on preparing assurance statements and management\ncontrol plans, rather than implementing all of the standards for internal control. Internal\ncontrols are an integral component of an organization\xe2\x80\x99s management, and without it there\nis no reasonable assurance the following objectives were achieved: (1) effectiveness and\nefficiency of operations, (2) reliability of financial reporting, and (3) compliance with\napplicable laws and regulations. Also, the lack of a properly maintained internal control\nenvironment commensurate with NARA\xe2\x80\x99s activities can create issues, including\nunreliable financial reporting, unauthorized use or misappropriation of funds, and\nopportunities for fraud, waste, and abuse.\n\nThe Circular requires management to develop and maintain effective internal controls.\nEffective internal controls provide assurance significant weaknesses in the design or\noperation of internal control, that could adversely affect the agency\xe2\x80\x99s ability to meet its\nobjectives, would be prevented or detected in a timely manner. The U.S. Government\nAccountability Office\xe2\x80\x99s (GAO\xe2\x80\x99s), Standards for Internal Control in the Federal\nGovernment (the Standards) outlines the five standards for internal control as (1) control\nenvironment, (2) risk assessment, (3) control activities, (4) information and\ncommunication, and (5) monitoring. The Standards define the minimum level of quality\nacceptable for internal controls in the federal government and provide the basis against\nwhich internal controls are to be evaluated. Each standard is important, and all have to\nfunction together to make an effective control structure. All of the standards need to be\nimplemented to have an effective internal control program, and therefore, NARA cannot\ncontinue to piecemeal the program as they have done in the past. Internal controls are\nlikely to function well if management believes those controls are important and\ncommunicates that view to employees at all levels. If employees don\xe2\x80\x99t think\nmanagement is committed to putting an internal control environment in place, then\ninternal controls will be regarded as \xe2\x80\x9cred tape\xe2\x80\x9d and a waste of time.\n\nWe noted NARA will not be in full compliance with the Circular until it identifies critical\nfunctions, control and monitoring activities, and develops a formal risk management\nprocess. In the past management had not shown a comprehensive understanding of risk\nassessments and therefore did not adequately apply risk assessment as a component of\ntheir internal control planning and testing. Furthermore, the agency did not have the\nstructure in place to support adequate, agency-wide/strategic risk identification and risk\nmitigation strategies.\n\nAt of the end of the FMFIA reporting period, September 30, 2009, NARA did not have\nan adequate internal control program. Since then NARA has made progress in\n                                         Page 7\n                      National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 10-19\n\n\nimplementing a program. NPOL is leading the efforts in completing an implementation\nplan to address the areas NARA is not compliant with for the Circular. The plan\nidentifies key activities, milestones, deliverables, and target dates for implementation.\nThe initial phase of the implementation plan is to establish a baseline which will serve as\nthe initial framework around which the internal control program will be structured. The\ninitial baseline includes identifying the agency\xe2\x80\x99s existing critical functions, controls,\nrisks, and monitoring activities. It also includes creating standard risk assessments. The\nframework will be reflected in the initial build out of a system NPOL would like to\nprocure to automate the internal control program and related processes. NPOL does not\nexpect the system to be fully functional until FY 2012.\n\nThe initial phase of the implementation plan will be considered complete once (1) the\nprogram baseline has been established and is reflected in the internal control automated\nsystem, (2) standard risk assessment questionnaires have been developed and\nincorporated into the system, and (3) accountable officials, function owners (or line of\nbusiness owners), and senior managers are trained. After the initial phase, the annual\ninternal control review will consist of review and revision of critical functions,\npreparation of risk assessments, and detailed control reviews based on the results of the\nrisk assessments.\n\nThe OIG believes management is moving in the right direction in complying with the\nCircular. We will continue to track their efforts in the future.\n\nRecommendation 1\n\nThe Archivist of the United States should:\n\na) Demonstrate a commitment to the internal control program by establishing\n   centralized responsibility within NARA\xe2\x80\x99s existing organizational structure or within\n   the proposed Performance & Accountability Office (as indicated in the Proposed\n   NARA Organization Report from the Archivist\xe2\x80\x99s Task Force on Agency\n   Transformation).\n\nb) Formalize the Internal Control program to include the five standards for internal\n   control: (1) control environment, (2) risk assessment, (3) control activities,\n   (4) information and communication, and (5) monitoring.\n\nc) Consider establishing a Senior Management Council to provide oversight and\n   additional accountability for the Internal Control Program.\n\nManagement Response\n\nManagement concurred with recommendation.\n\n\n\n\n                                         Page 8\n                      National Archives and Records Administration\n\x0c                                                                 OIG Audit Report No. 10-19\n\n\n2. Prior year audit recommendations remain open.\nOur review found recommendations for corrective actions contained in our FY 2007 3 and\nFY 2008 4 assurance statement audits have not been implemented. These\nrecommendations were aimed at both addressing non-compliance with provisions of\nNARA 114 and the Circular, and modifying existing management control plans which\ntoo narrowly defined/identified \xe2\x80\x9ccritical functions\xe2\x80\x9d to allow for proper testing and\nevaluation of controls. This condition exists because for the last two years NPOL\nplanned to revise NARA Directive 114, Management Controls, which NARA\xe2\x80\x99s\nManagement Control Liaison believed upon implementation by the program offices,\nwould be the first step in addressing the open recommendations from the prior two years.\nAt the end of fieldwork, the directive had not been revised by NPOL.\n\nOur recommendations for the last two years were as follows:\n\n    \xe2\x80\xa2   the Archivist should ensure NARA\xe2\x80\x99s policy on internal controls (such as NARA\n        114) be revised to specifically address the process by which findings are\n        evaluated and categorized; criteria used in the decision making process, and;\n        documentation necessary to support such conclusions;\n    \xe2\x80\xa2   the Assistant Archivist for Administrative Services should ensure Annual\n        Information Security Self Inspection results are reviewed in a timely manner,\n        instances of non-compliance are identified, and corrective actions are monitored;\n        and self inspections are reviewed and documented in accordance with guidance\n        concerning self-assessments contained in NARA 114. If a formal process as\n        referred to by the Information Security Officer is not completed, alternate means\n        of reviewing the checklists should be developed.\n    \xe2\x80\xa2   the Assistant Archivist for Regional Records Services should ensure all program\n        findings, regardless of whether they are considered major or minor, are tracked to\n        resolution and supported by adequate documentation;\n    \xe2\x80\xa2   NPOL work with offices in general, and management control liaisons in\n        particular, to:\n            o stress the importance of performing internal control assessments of critical\n                areas in accordance with management control plans and NARA 114;\n            o ensure the results of the assessments are included in the assurance\n                statements, and;\n            o revise, as necessary, the lists of \xe2\x80\x9ccritical functions\xe2\x80\x9d to be reviewed.\n\nThe Circular requires the agency and individual managers to take systematic and\nproactive measures to assess the adequacy of internal controls in Federal programs and\noperations, identify needed improvements, take corresponding corrective action, and\nreport annually on internal controls in order to be accountable for their area of control.\n\n3\n  OIG Audit Report No, 08-06, Evaluation of NARA\xe2\x80\x99s FY 2007 Management Control Program (March 7,\n2008). The recommendations in 08-06 were closed and carried forward to OIG Report No. 09-14.\n4\n  OIG Audit Report No. 09-14, Evaluation of NARA\xe2\x80\x99s FY 2008 Management Control Program (August 28,\n2009).\n                                          Page 9\n                       National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 10-19\n\n\nNARA Directive 114 provides guidance for establishing, assessing, correcting, and\nreporting on internal controls. Both documents convey the elements necessary for\nconducting and documenting sufficient internal control reviews.\n\nFailing to consistently review critical areas/programs weakens management\naccountability and decreases the likelihood problems will be identified and program risks\nminimized. Furthermore, it promotes a false sense of assurance about the level of\nprogram or function oversight provided by management and could result in an agency\nassurance statement which inaccurately conveys risk.\n\nRecommendation 2\n\nThe Archivist, Assistant Archivist for Administrative Services, Assistant Archivist for\nRegional Records Services, and Director of Policy and Planning should ensure\nrecommendations from OIG Report No. 09-14 are implemented and previously identified\nweaknesses are corrected.\n\nManagement Response\n\nManagement concurred with recommendation.\n\n\n\n\n                                        Page 10\n                     National Archives and Records Administration\n\x0c                                                OIG Audit Report No. 10-19\n\n\nAppendix A \xe2\x80\x93 OIG Review of NARA\xe2\x80\x99s FY 2009\nStatement of Assurance\n\n\n\n\n                              Page 11\n           National Archives and Records Administration\n\x0c                                     OIG Audit Report No. 10-19\n\n\n\n\n                   Page 12\nNational Archives and Records Administration\n\x0c                                     OIG Audit Report No. 10-19\n\n\n\n\n                   Page 13\nNational Archives and Records Administration\n\x0c                                     OIG Audit Report No. 10-19\n\n\n\n\n                   Page 14\nNational Archives and Records Administration\n\x0c                                     OIG Audit Report No. 10-19\n\n\n\n\n                   Page 15\nNational Archives and Records Administration\n\x0c                                                     OIG Audit Report No. 10-19\n\n\nAppendix B \xe2\x80\x93 Acronyms and Abbreviations\n\nFMFIA           Federal Managers\xe2\x80\x99 Financial Integrity Act\nGAO             Government Accountability Office\nNARA            National Archives and Records Administration\nNPOL            Policy and Planning Staff\nOIG             Office of Inspector General\nOMB             Office of Management and Budget\nPAR             Performance and Accountability Report\nThe Circular    Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control\nThe Standards   Standards for Internal Control in the Federal Government\n\n\n\n\n                                   Page 16\n                National Archives and Records Administration\n\x0c                                                 OIG Audit Report No. 10-19\n\n\nAppendix C \xe2\x80\x93 Management\xe2\x80\x99s Response to the Report\n\n\n\n\n                               Page 17\n            National Archives and Records Administration\n\x0c                                                           OIG Audit Report No. 10-19\n\n\nAppendix D \xe2\x80\x93 Report Distribution List\n\nArchivist of the United States\nDeputy Archivist of the United States\nAssistant Archivist, Office of Administration Services (NA)\nAssistant Archivist, Office of Regional Records Services (NR)\nDirector, Policy and Planning (NPOL)\nChief of Staff\nManagement Control Liaison, Policy and Planning (NPOL)\n\n\n\n\n                                       Page 18\n                    National Archives and Records Administration\n\x0c'